Added migrating vaultwarden to nixos blog article

1 files changed, 213 insertions, 0 deletions

diff --git a/content/blog/nix/migrating-vaultwarden.md b/content/blog/nix/migrating-vaultwarden.md
new file mode 100644
index 0000000..a095070
--- /dev/null
+++ b/content/blog/nix/migrating-vaultwarden.md
@@ -0,0 +1,213 @@
+---
+title: Migrating vaultwarden to nixos
+description: How I migrated my vaultwarden installation to nixos
+date: 2023-12-20
+tags:
+- nix
+- vaultwarden
+---
+
+## Introduction
+
+I am migrating several services from a k3s kubernetes cluster to a nixos server. Here is how I performed the operation with my [vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager.
+
+## Vaultwarden with nixos
+
+Vaultwarden is packaged on nixos, but I am used to the hosting the container image and upgrading it at my own pace so I am sticking with it for now.
+
+Here is the module I wrote to deploy a vaultwarden container, configure postgresql and borg backups in `apps/vaultwarden/app.nix`:
+```nix
+{ config, lib, pkgs, ... }:
+{
+	imports = [
+	  ../../lib/nginx.nix
+	  ../../lib/postgresql.nix
+	];
+	environment.etc = {
+		"borg-vaultwarden-db.key" = {
+			mode = "0400";
+			source = ./borg-db.key;
+		};
+		"borg-vaultwarden-storage.key" = {
+			mode = "0400";
+			source = ./borg-storage.key;
+		};
+	};
+	services = {
+		borgbackup.jobs = let defaults = {
+			compression = "auto,zstd";
+			doInit = true;
+			encryption.mode = "none";
+			prune.keep = {
+				daily = 14;
+				weekly = 4;
+				monthly = 3;
+			};
+			startAt = "daily";
+		}; in {
+			"vaultwarden-db" = defaults // {
+				environment.BORG_RSH = "ssh -i /etc/borg-vaultwarden-db.key";
+				paths = "/tmp/vaultwarden.sql";
+				postHook = "rm -f /tmp/vaultwarden.sql";
+				preHook = ''rm -f /tmp/vaultwarden.sql; /run/current-system/sw/bin/pg_dump -h localhost -U vaultwarden -d vaultwarden > /tmp/vaultwarden.sql'';
+				repo = "ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db";
+			};
+			"vaultwarden-storage" = defaults // {
+				environment.BORG_RSH = "ssh -i /etc/borg-vaultwarden-storage.key";
+				paths = "/srv/vaultwarden";
+				repo = "ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage";
+			};
+		};
+		nginx.virtualHosts = let commons = {
+			forceSSL = true;
+			locations = {
+			  "/" = {
+			    proxyPass = "http://127.0.0.1:8083";
+			  };
+			};
+		}; in {
+			"pass.adyxax.org" = commons // {
+				sslCertificate = "/etc/nginx/adyxax.org.crt";
+				sslCertificateKey = "/etc/nginx/adyxax.org.key";
+			};
+		};
+		postgresql = {
+			ensureUsers = [{
+				name = "vaultwarden";
+				ensureDBOwnership = true;
+			}];
+			ensureDatabases = ["vaultwarden"];
+		};
+	};
+	virtualisation.oci-containers.containers = {
+		vaultwarden = {
+			environment = {
+				ADMIN_TOKEN = builtins.readFile ./argon-token.key;
+				DATABASE_MAX_CONNS = "2";
+				DATABASE_URL = "postgres://vaultwarden:" + (lib.removeSuffix "\n" (builtins.readFile ./database-password.key)) + "@10.88.0.1/vaultwarden?sslmode=disable";
+			};
+			image = "vaultwarden/server:1.30.1";
+			ports = ["127.0.0.1:8083:80"];
+			volumes = [ "/srv/vaultwarden/:/data" ];
+		};
+	};
+}
+```
+
+## Dependencies
+
+### Borg
+
+Borg needs to be running on another server with the following configuration stored in my `apps/vaultwarden/borg.nix` file:
+```nix
+{ config, pkgs, ... }:
+{
+        imports = [
+          ../../lib/borg.nix
+        ];
+        users.users.borg.openssh.authorizedKeys.keys = [
+                ("command=\"borg serve --restrict-to-path /srv/borg/vaultwarden-db\",restrict " + (builtins.readFile ./borg-db.key.pub))
+                ("command=\"borg serve --restrict-to-path /srv/borg/vaultwarden-storage\",restrict " + (builtins.readFile ./borg-storage.key.pub))
+        ];
+}
+```
+
+### PostgreSQL
+
+My postgreSQL module defines the following global configuration:
+```nix
+{ config, lib, pkgs, ... }:
+{
+	networking.firewall.interfaces."podman0".allowedTCPPorts = [ 5432 ];
+	services.postgresql = {
+		enable = true;
+		enableTCPIP = true;
+		package = pkgs.postgresql_15;
+		authentication = pkgs.lib.mkOverride 10 ''
+			#type database  DBuser                 auth-method
+			local all       all                    trust
+			# podman
+			host  all       all     10.88.0.0/16   scram-sha-256
+		'';
+	};
+}
+```
+
+Since for now I am running nothing outside of containers on this server, I am trusting the unix socket connections. Depending on what you are doing you might want a stronger auth-method there.
+
+### Nginx
+
+My nginx module defines the following global configuration:
+```nix
+{ config, lib, pkgs, ... }:
+{
+	environment.etc = let permissions = { mode = "0400"; uid= config.ids.uids.nginx; }; in {
+		"nginx/adyxax.org.crt" = permissions // { source = ../../01-legacy/adyxax.org.crt; };
+		"nginx/adyxax.org.key" = permissions // { source = ../../01-legacy/adyxax.org.key; };
+	};
+	networking.firewall.allowedTCPPorts = [ 80 443 ];
+	services.nginx = {
+		clientMaxBodySize = "40M";
+		enable = true;
+		enableReload = true;
+		recommendedGzipSettings = true;
+		recommendedOptimisation = true;
+		recommendedProxySettings = true;
+	};
+}
+```
+
+### Secrets
+
+There are several secrets referenced in the configuration, these are all git-crypted files:
+- argon-token.key
+- borg-db.key
+- borg-storage.key
+- database-password.key
+
+## Migration process
+
+The first step is obviously to deploy this new configuration to the server, then I need to login and manually restore the backups.
+```sh
+make run host=myth.adyxax.org
+```
+
+The container will be failing because no password is set on the database user yet, so I stop it:
+```sh
+systemctl stop podman-vaultwarden
+```
+
+There are two backup jobs for vaultwarden: one for its storage and the second one for the database.
+```sh
+export BORG_RSH="ssh -i /etc/borg-vaultwarden-storage.key"
+borg list ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage
+borg extract ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage::dalinar-vaultwarden-storage-2023-11-19T00:00:01
+mv srv/vaultwarden /srv/
+```
+
+```sh
+export BORG_RSH="ssh -i /etc/borg-vaultwarden-db.key"
+borg list ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db
+borg extract ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db::dalinar-vaultwarden-db-2023-11-19T00:00:01
+```
+
+Restoring the data itself is done with the psql shell:
+```sh
+psql -h localhost -U postgres -d vaultwarden
+ALTER USER vaultwarden WITH PASSWORD 'XXXXX';
+\i tmp/vaultwarden.sql
+```
+
+Afterwards I clean up the database dump and restart vaultwarden:
+```sh
+rm -rf tmp/
+systemctl start podman-vaultwarden
+```
+
+To wrap this up I migrate the DNS records to the new host, update my monitoring system and clean up the namespace on the k3s server.
+
+## Conclusion
+
+Automating things with nixos is satisfying, but it does not abstract all the sysadmin's work away.
+
+I am not quite satisfied with my borg configuration entries. I should be able to write this more elegantly when I find the time, but it works.